First published: Thu Mar 25 2010(Updated: )
Network Security Services (NSS) is a set of libraries designed to support<br>the cross-platform development of security-enabled client and server<br>applications. Applications built with NSS can support SSLv2, SSLv3, TLS,<br>and other security standards.<br>Netscape Portable Runtime (NSPR) provides platform independence for non-GUI<br>operating system facilities. These facilities include threads, thread<br>synchronization, normal file and network I/O, interval timing, calendar<br>time, basic memory management (malloc and free), and shared library<br>linking.<br>A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure<br>Sockets Layer) protocols handled session renegotiation. A man-in-the-middle<br>attacker could use this flaw to prefix arbitrary plain text to a client's<br>session (for example, an HTTPS connection to a website). This could force<br>the server to process an attacker's request as if authenticated using the<br>victim's credentials. This update addresses this flaw by implementing the<br>TLS Renegotiation Indication Extension, as defined in RFC 5746.<br>(CVE-2009-3555)<br>Refer to the following Knowledgebase article for additional details about<br>this flaw: <a href="http://kbase.redhat.com/faq/docs/DOC-20491" target="_blank">http://kbase.redhat.com/faq/docs/DOC-20491</a> Users of Red Hat Certificate System 7.3 and 8.0 should review the following<br>Knowledgebase article before installing this update:<br><a href="http://kbase.redhat.com/faq/docs/DOC-28439" target="_blank">http://kbase.redhat.com/faq/docs/DOC-28439</a> All users of NSS are advised to upgrade to these updated packages, which<br>update NSS to version 3.12.6. This erratum also updates the NSPR packages<br>to the version required by NSS 3.12.6. All running applications using the<br>NSS library must be restarted for this update to take effect.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nspr | <4.8.4-1.el5_4 | 4.8.4-1.el5_4 |
redhat/nss | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nspr | <4.8.4-1.el5_4 | 4.8.4-1.el5_4 |
redhat/nspr-devel | <4.8.4-1.el5_4 | 4.8.4-1.el5_4 |
redhat/nspr-devel | <4.8.4-1.el5_4 | 4.8.4-1.el5_4 |
redhat/nss | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-devel | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-devel | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-pkcs11-devel | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-pkcs11-devel | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-tools | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nss-tools | <3.12.6-1.el5_4 | 3.12.6-1.el5_4 |
redhat/nspr | <4.8.4-1.1.el4_8 | 4.8.4-1.1.el4_8 |
redhat/nss | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
redhat/nspr | <4.8.4-1.1.el4_8 | 4.8.4-1.1.el4_8 |
redhat/nspr-devel | <4.8.4-1.1.el4_8 | 4.8.4-1.1.el4_8 |
redhat/nss | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
redhat/nss-devel | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
redhat/nss-tools | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
redhat/nspr-devel | <4.8.4-1.1.el4_8 | 4.8.4-1.1.el4_8 |
redhat/nss-devel | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
redhat/nss-tools | <3.12.6-1.el4_8 | 3.12.6-1.el4_8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.